A new botnet, dubbed JenX, shares characteristics with the Satori botnet, and is using Grand Theft Auto (GTA) to recruit internet of things (IoT) devices.
According to Radware, the botnet uses hosted servers to find and infect new victims, leveraging one of two known vulnerabilities that have become popular in IoT botnets recently: CVE-2014-8361 and CVE-2017–17215. Both have related exploits.
Both exploit vectors are known from the Satori botnet. The malware is based on the Satori code that was part of a recent public Pastebin post by the author of BrickerBot, along with attributes from the PureMasuta botnet, which had its source code published in an invite-only dark forum, the firm said.
Interestingly, the bot herder seems to be a big gaming fan: Radware researchers found that the command and control server is hosted under the domain sancalvicie.com, a site that provides mod servers for Grand Theft Auto: San Andreas, in addition to cybercrime offerings like distributed denial of services (DDoS) via the botnet.
One of those services is dubbed “Corriente Divina” (which translates to “divine stream”). It’s described as “God’s wrath will be employed against the IP that you provide us.”
According to Radware researcher Pascal Geenens, it provides a DDoS service with a guaranteed bandwidth of 290 to 300 Gbps.
Interestingly, it doesn’t have scanning and exploit payloads, meaning that this functionality is centralized. This provides the bot herders with more flexibility to add and improve the functionality as they go.
“Untypical for IoT botnets we have witnessed in the past year, this botnet uses servers to perform the scanning and the exploits,” Geenens said. “Nearly all botnets, including Mirai, Hajime, Persirai, Reaper, Satori and Masuta, perform distributed scanning and exploiting. That is, each victim that is infected with the malware will perform its own search for new victims. This distributed scanning provides for an exponential growth of the botnet, but that comes at the price of flexibility and sophistication of the malware itself.”
Since it doesn’t spread machine-to-machine, JenX targets the C2 site’s other obsession. Or rather, its competition.
“Unless you frequently play GTA San Andreas, you will probably not be directly impacted,” said Geenens. “The botnet is supposed to serve a specific purpose and be used to disrupt services from competing GTA SA multiplayer servers. I do not believe that this will be the botnet that will take down the internet. But it does contain some interesting new evolutions, and it adds to a list of IoT botnets that is growing longer and faster every month.”
He did have a caveat: “That said, there is nothing that stops one from using the cheap $20 per-target service to perform 290 Gbps attacks on business targets and even government related targets. I cannot believe the San Calvicie group would be opposed to it.”